Research Spotlight: The Evil That Bots Do

It’s All About the Information

"There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!"

The last part of the quote above always seems to play in my head during the course of an average day in information security. It really is all about information in many different aspects. One aspect I would like to highlight is collecting information about those who are attacking you. Specific information potentially useful to those defending networks and systems could be:

• The Software Itself - Perhaps the most useful information you can have, understanding what the malicious software (a.k.a. "malware") does is critical in being able to detect, prevent and remove it from your systems.
• The Users - Understanding how and why the end-user is using the software can provide some useful information (admittedly not as useful as analyzing the software itself). Malware can give an attacker a host of features. Knowing which ones are using it for denial of service attacks, and which groups are stealing bank data can help aid detection and forensics analysis (on both the system and the network).
• The Programmer - Probably the least useful to those defending networks on an everyday basis. Most authors of malware are most-likely motivated by profit, and create software to sell on the black market. Sometimes interesting things can be found in the software itself, indicating potentially where the software was created and providing hints as to the author's skill level.

I'd like to highlight some of the above information in this article (and an upcoming podcast) as it relates to botnets and malware. There is an endless supply of malware designed to perform a wide-array of "evil biddings". There is an entire economy behind botnets, including outsourcing, marketing and shady business schemes. All of this activity is happening on our networks today, leading to service disruptions from distributed denial of service (DDoS) attacks to theft of banking information.

Tenable has produced several configuration audits and updates to enterprise products, such as the Log Correlation Engine (LCE) and Passive Vulnerability Scanner (PVS), to help detect this activity in your environment. Nessus ProfessionalFeed customers can download the configuration auditing files that detect malware from the Tenable Support Portal Virus Detection Policies page (requires a Tenable Support Portal Login). For more detailed information on how Nessus is able to detect viruses, refer to the article Auditing Infected Systems for Viruses and Trojans with Nessus.

Detecting Common Malware with Nessus

The links below are located in the Nessus Discussion Forums and detail some of the most recent malware checks (links require that you register for a free account with the forum). Each one contains some details about the malware it detects (or methods used to detect malware) and links to the Tenable Support Portal where you can download the configuration audits. Some examples of discussion forum threads on this topic:

• Warbot Audit now available - Warbot is an interesting "botnet kit". It includes standard elements, such as the ability to launch distributed denial of service attacks and download and execute other programs. The web-based management interface is written in AJAX, providing a really slick way of managing your botnet. It sells for a rock bottom price of $200 USD and there are already cracked versions that allow you to use all of the features for free.
• Audit for Storm/Pecoan.AG - The Storm worm was all the rage in 2008, being one of the first botnets to use a "fastflux" network to conceal the “command and control” IP addresses. Earlier this year it made a resurgence and is commonly used to send spam.
• SpyEye Leak, Nessus Audit - SpyEye is another botnet/malware tool that is focused on obtaining financial information. It similar to the "Zeus" bot that is very popular; in fact the SpyEye malware even tries to remove the Zeus bot from infected hosts. SpyEye currently sells for $1,000 USD, coming in much cheaper than buying a Zeus botnet kit. (You can listen to Dennis Brown's segment on the Zeus botnet/trojan that aired on PaulDotCom Security Weekly Episode 200.)
• Update to the Blacklist Perl Script/TASL - LCE customers can use the DNS Blacklist file (requires a Tenable Support Portal login) to compare your network's DNS queries to a list of known IP addresses hosting botnet activity, sites hosting trojans,
  infected sites involved in drive-by download attacks, and other sites known to be participating in other malicious activity. This is a great way to detect what internal hosts in your environment are infected with malware without directly scanning your client systems.
• Detecting the TDSS/TDL3/Tidserv rootkit with Nessus - While there is nothing spectacular about this rootkit, it did cause a problem for those installing the MS10-015 security bulletin. If a system infected with the TDSS/TDL3/Tidserv rootkit were to install this patch, the system would present the "blue screen of death".

Conclusion

Attackers will go to great lengths to prevent detection. Antivirus software alone cannot protect 100% of your systems 100% of the time. Using configuration audits, Nessus ProfessionalFeed users can detect malware on systems via registry keys and files used by the malware. LCE and PVS customers can monitor local DNS traffic to detect which hosts are contacting known “command and control” systems. In an upcoming Tenable podcast episode, Dennis Brown will describe in detail how each of these checks work and provide some insight into the underground culture and economy.